How The Heartbleed Bug Slipped Under The Radar More Than Two Years Ago

More than two years ago German developer Robin Seggelmann introduced a new feature to OpenSSL, the open-source encryption standard that a large chunk of websites use to transmit data. Now, a vulnerability discovered in that addition is responsible for what may be the biggest Internet security flaw in recent history — the Heartbleed bug, according to The Sydney Morning Herald.

OpenSSL is essentially the secure line that servers use when you’re sending an email or chatting on IM. The flaw is particularly dangerous because it’s capable of tricking servers into spitting out information from their memory, which could include sensitive information such as passwords and credit card numbers.

Seggelman told The Sydney Morning Herald that the vulnerability was “unfortunately” missed by him and a reviewer when he introduced new bug fixes and features to OpenSSL more than two years ago. After he submitted the code, the error slipped past a reviewer and “made its way from the development branch into the released version,” Seggelman told the Australian publication. According to the Herald, logs show that the reviewer was Dr. Stephen Henson.

Seggelman described the flaw as “quite trivial,” but did say that its that its effects are “severe.” He said the vulnerability was included in the code purely as a mistake, and that there were no malicious intentions behind the incident.

“It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project,” he said to the Herald.

Heartbleed takes advantage of a vulnerability in an OpenSSL feature known as Heartbeat, hence its name. The feature, introduced by Seggelmann, enables arbitrary data to be sent from one end of a connection to another. The receiving end would then ping back an exact copy of that same data to prove that the connection is secure, according to a detailed breakdown by The Register.

After the initial Heartbeat message is sent, however, the bug tricks the recipient server into spilling out data from its memory instead of just sending back an exact copy of the original data. In short, it enables the server to “bleed” out extra information after receiving a Heartbeat message.

The Heartbleed bug was discovered earlier this week by researchers at security firm Codenomicon and Google Security’s Neel Mehta. Some Web services, such as Twitter and Google, have said that they have already applied the necessary update to address the problem.